This Week in Security: Shadow Brokers Hype, Spy Dolls, and Rampant Password Reuse

Don’t Believe the Hype

The computer security world is no stranger to hype, histrionics, and hyperbole. While there are certainly serious issues that are periodically discovered, we sometimes find ourselves halfway to our zero-day shelter before we realize we’ve gotten carried away.

Recently, the folks at Shadow Brokers released another batch of tools, kicking off hours of chaos over whether weaponized zero-day tools could find their way into the hands of script kiddies around the world. While the first look is crucial, you can’t always trust it, as independent testing and an announcement from Microsoft revealed that the vulnerabilities were patched on supported, up-to-date systems. (Everyone’s Windows machines are up to date and supported, right?)

While this spells trouble for legacy systems, unsupported operating systems have been a serious liability for years, regardless of leaked tools. As lcamtuf says, “if you're scrambling to lock down your Internet-exposed SMB servers in response to the most recent revelations from Shadow Brokers, you’re probably in deep trouble - and it's not because of the NSA.”

Next on the Wheel-O’-Hype: named bugs! While a recognizable name and central resource for information can be useful for quickly fixing vulnerabilities, sometimes the bug doesn’t live up to the doom-and-gloom marketing, forcing experts to fight the power of reactionary FUD that is out of proportion to the actual threat.

The latest in this saga of overblown threats is ringroad, essentially a design choice that can leak the length of a user’s password in network traffic. The issue appears to be the use of AES-GCM without taking extra effort to obscure the length of the input, leaving the ciphertext the same length as the plaintext.

While this is bad if an attacker can mount offline attacks against the password, the quoted research was limited to online attacks, meaning server-side rate limiting and other safeguards would complicate an attack. Without giving an excuse for leaking password information like length, it’s difficult to see this being an issue except for passwords that are already weak.

Less than Half of Ransomware Victims Complete Payment

A new study by Trustlook has found that only 38% of ransomware victims pay to remove the ransomware. For starry-eyed optimists, that means that up to 62% of people have regular, functioning backups!

But realistically, this tells us a few interesting things about ransomware infections. Namely, that nearly half of those surveyed don’t see themselves as potential ransomware victims. Additionally, 7% of non-impacted responders say they wouldn’t pay a ransom. However, 38% of victims did pay the ransom, which ranged from $100 to $500.

We recommend the following protocols to safeguard against ransomware infection:

  • Perform backups regularly and periodically verify you can restore from them.
  • Train employees to recognize phishing attacks and common ransomware delivery vectors.
  • Use endpoint protection to catch ransomware that does find its way onto a user’s machine.

Don’t Reuse Passwords

In the latest event in the seemingly unending cascade of examples that basic security hygiene is important, McAfee had their LinkedIn page briefly hijacked. Though it’s still unclear exactly how this happened, best guesses point towards password re-use being the culprit. Here are some suggestions to better protect your social media accounts from being hijacked:

  • Use a Password Manager. This makes it easy to avoid re-using passwords, and helps you pick strong passwords.
  • Enable two-factor authentication, if supported. This is an effective extra step preventing password compromise from becoming account compromise.

We can’t be 100% secure 100% of the time, but a bit of due diligence can go a long way in protecting your assets from the cheap-and-easy hacks that are first in line for attackers.

Germany REALLY Doesn’t Want You to Own This Doll

We previously covered many brilliant ‘what-could-go-wrong’ toys that listen to everything your child says, one of which that was banned in Germany since February, but simply banning them doesn’t seem to be enough.

The German Federal Network Agency has clarified that the “My Friend Cayla” doll, which records conversations between the toy and its presumably young owner, is now considered a ‘concealed transmitting device’ and cannot be sold, purchased or possessed. It has reminded consumers that though they do not plan to take action against individuals, parents could theoretically face a fine up to $26,500 and potential jail time if they do not destroy or otherwise dispose of the doll.

For parents unwilling to destroy the doll themselves, they can take one German mother’s example and donate the toy to their local spy museum.